Is there a command line or other batch way of performing "Populate with CAs"?

There are different Certificate Authority certificate management policies and processes.  However, IBM i Security would suggest the "as-required" principal would apply here.  The intent of the "Populate with CAs" function in DCM was to make it easier for the client to self-populate the well-known public CAs they require as well make it easier for IBM i development to update the "Populate with CAs" list of CAs via IBM i PTFs and not touch your certificate store.  So as IBM i DCM PTFs are applied to your IBM i server, they may include new well-known public CAs under the Populate with CAs list in DCM.  As a result, subsequent "Populate with CAs" executions may result in additional CAs (if selected) being added to your *SYSTEM certificate store.  Do you NEED to re-run the Populate with CAs function after an IBM i PTF apply?  The answer depends.  Yes, if you require the newly PTF-provided CAs to be populated in your *SYSTEM certificate store to resolve a TLS connectivity issue or prepare to be used on a TLS connection.  No, if you don't have a current or an anticipated need to actually use these CAs with a TLS connection and your company implements the "as-needed or as-required" security policy.

In addition, there are also performance considerations directly related to the number of certificates, including Certificate Authorities, that exist in your DCM *SYSTEM certificate store.  The more certificates that exist in the certificate store, the longer it will take to search for and identify the correct certificates for each TLS certificate operation and connection.  In addition, certificate stores with a large amount of certificates need to be considered with scalability and very, very high TLS transactional environments.  As a result, IBM recommends keeping the number of certificates in your certificate stores to a minimum for these security, performance, and scalability reasons.

There is no CL command or external API that can be called to execute the "Populate with CAs" operation outside of the DCM GUI.  However, there are fairly new IBM i DCM REST APIs you can use to manage digital certificates and create your own "Populate with CAs" utility across multiple IBM i endpoints. Alternatively, you could execute your "Populate with CAs" utility to multiple IBM i systems using the ibm.power_ibmi Ansible for i collection.

To obtain the CA certificates in "Populate with CAs", you will need to create a new certificate store in DCM using the "Other" type, populate it yourself with the entire list of CAs (via the DCM GUI) and then use the DCM REST API to export all of the CAs from the new certificate store to populate your CA repository that you can use with your client program that will import the CAs across your IBM i servers.

Is there a command line or other batch way of performing "Populate with CAs"?

I appreciate all these concerns.  However I would still have to log on to DCM, execute Populate with CAs.  I am not going to take the time to individually review each CA.  And how am I supposed to know which CA is needed by some new IBM SQL Service which retrieves info from the internet?

https://ibm-power-systems.ideas.ibm.com/ideas/IBMI-I-4736

There are different Certificate Authority certificate management policies and processes.  However, IBM i Security would suggest the "as-required" principal would apply here.  The intent of the "Populate with CAs" function in DCM was to make it easier for the client to self-populate the well-known public CAs they require as well make it easier for IBM i development to update the "Populate with CAs" list of CAs via IBM i PTFs and not touch your certificate store.  So as IBM i DCM PTFs are applied to your IBM i server, they may include new well-known public CAs under the Populate with CAs list in DCM.  As a result, subsequent "Populate with CAs" executions may result in additional CAs (if selected) being added to your *SYSTEM certificate store.  Do you NEED to re-run the Populate with CAs function after an IBM i PTF apply?  The answer depends.  Yes, if you require the newly PTF-provided CAs to be populated in your *SYSTEM certificate store to resolve a TLS connectivity issue or prepare to be used on a TLS connection.  No, if you don't have a current or an anticipated need to actually use these CAs with a TLS connection and your company implements the "as-needed or as-required" security policy.

In addition, there are also performance considerations directly related to the number of certificates, including Certificate Authorities, that exist in your DCM *SYSTEM certificate store.  The more certificates that exist in the certificate store, the longer it will take to search for and identify the correct certificates for each TLS certificate operation and connection.  In addition, certificate stores with a large amount of certificates need to be considered with scalability and very, very high TLS transactional environments.  As a result, IBM recommends keeping the number of certificates in your certificate stores to a minimum for these security, performance, and scalability reasons.

There is no CL command or external API that can be called to execute the "Populate with CAs" operation outside of the DCM GUI.  However, there are fairly new IBM i DCM REST APIs you can use to manage digital certificates and create your own "Populate with CAs" utility across multiple IBM i endpoints. Alternatively, you could execute your "Populate with CAs" utility to multiple IBM i systems using the ibm.power_ibmi Ansible for i collection.

To obtain the CA certificates in "Populate with CAs", you will need to create a new certificate store in DCM using the "Other" type, populate it yourself with the entire list of CAs (via the DCM GUI) and then use the DCM REST API to export all of the CAs from the new certificate store to populate your CA repository that you can use with your client program that will import the CAs across your IBM i servers.

Is there a command line or other batch way of performing "Populate with CAs"?

I appreciate all these concerns.  However I would still have to log on to DCM, execute Populate with CAs.  I am not going to take the time to individually review each CA.  And how am I supposed to know which CA is needed by some new IBM SQL Service which retrieves info from the internet?

https://ibm-power-systems.ideas.ibm.com/ideas/IBMI-I-4736

There are different Certificate Authority certificate management policies and processes.  However, IBM i Security would suggest the "as-required" principal would apply here.  The intent of the "Populate with CAs" function in DCM was to make it easier for the client to self-populate the well-known public CAs they require as well make it easier for IBM i development to update the "Populate with CAs" list of CAs via IBM i PTFs and not touch your certificate store.  So as IBM i DCM PTFs are applied to your IBM i server, they may include new well-known public CAs under the Populate with CAs list in DCM.  As a result, subsequent "Populate with CAs" executions may result in additional CAs (if selected) being added to your *SYSTEM certificate store.  Do you NEED to re-run the Populate with CAs function after an IBM i PTF apply?  The answer depends.  Yes, if you require the newly PTF-provided CAs to be populated in your *SYSTEM certificate store to resolve a TLS connectivity issue or prepare to be used on a TLS connection.  No, if you don't have a current or an anticipated need to actually use these CAs with a TLS connection and your company implements the "as-needed or as-required" security policy.

In addition, there are also performance considerations directly related to the number of certificates, including Certificate Authorities, that exist in your DCM *SYSTEM certificate store.  The more certificates that exist in the certificate store, the longer it will take to search for and identify the correct certificates for each TLS certificate operation and connection.  In addition, certificate stores with a large amount of certificates need to be considered with scalability and very, very high TLS transactional environments.  As a result, IBM recommends keeping the number of certificates in your certificate stores to a minimum for these security, performance, and scalability reasons.

There is no CL command or external API that can be called to execute the "Populate with CAs" operation outside of the DCM GUI.  However, there are fairly new IBM i DCM REST APIs you can use to manage digital certificates and create your own "Populate with CAs" utility across multiple IBM i endpoints. Alternatively, you could execute your "Populate with CAs" utility to multiple IBM i systems using the ibm.power_ibmi Ansible for i collection.

To obtain the CA certificates in "Populate with CAs", you will need to create a new certificate store in DCM using the "Other" type, populate it yourself with the entire list of CAs (via the DCM GUI) and then use the DCM REST API to export all of the CAs from the new certificate store to populate your CA repository that you can use with your client program that will import the CAs across your IBM i servers.

Is there a command line or other batch way of performing "Populate with CAs"?

An IBM SQL Service won't need a specific CA by itself... that is determined by the URL you connect to and I don't consider it IBM's responsible for providing you the CA for it (if you connect to an internal server that is using a local CA you'll need to import it yourself anyway).

Official lists can be found at ccadb.my.salesforce-sites.com/microsoft/IncludedCACertificateReportForMSFT or CA/Included Certificates - MozillaWiki or Available root certificates for Apple operating systems - Apple Support  Which list IBM is using when using the GUI is something I don't know.

I appreciate all these concerns.  However I would still have to log on to DCM, execute Populate with CAs.  I am not going to take the time to individually review each CA.  And how am I supposed to know which CA is needed by some new IBM SQL Service which retrieves info from the internet?

https://ibm-power-systems.ideas.ibm.com/ideas/IBMI-I-4736

There are different Certificate Authority certificate management policies and processes.  However, IBM i Security would suggest the "as-required" principal would apply here.  The intent of the "Populate with CAs" function in DCM was to make it easier for the client to self-populate the well-known public CAs they require as well make it easier for IBM i development to update the "Populate with CAs" list of CAs via IBM i PTFs and not touch your certificate store.  So as IBM i DCM PTFs are applied to your IBM i server, they may include new well-known public CAs under the Populate with CAs list in DCM.  As a result, subsequent "Populate with CAs" executions may result in additional CAs (if selected) being added to your *SYSTEM certificate store.  Do you NEED to re-run the Populate with CAs function after an IBM i PTF apply?  The answer depends.  Yes, if you require the newly PTF-provided CAs to be populated in your *SYSTEM certificate store to resolve a TLS connectivity issue or prepare to be used on a TLS connection.  No, if you don't have a current or an anticipated need to actually use these CAs with a TLS connection and your company implements the "as-needed or as-required" security policy.

In addition, there are also performance considerations directly related to the number of certificates, including Certificate Authorities, that exist in your DCM *SYSTEM certificate store.  The more certificates that exist in the certificate store, the longer it will take to search for and identify the correct certificates for each TLS certificate operation and connection.  In addition, certificate stores with a large amount of certificates need to be considered with scalability and very, very high TLS transactional environments.  As a result, IBM recommends keeping the number of certificates in your certificate stores to a minimum for these security, performance, and scalability reasons.

There is no CL command or external API that can be called to execute the "Populate with CAs" operation outside of the DCM GUI.  However, there are fairly new IBM i DCM REST APIs you can use to manage digital certificates and create your own "Populate with CAs" utility across multiple IBM i endpoints. Alternatively, you could execute your "Populate with CAs" utility to multiple IBM i systems using the ibm.power_ibmi Ansible for i collection.

To obtain the CA certificates in "Populate with CAs", you will need to create a new certificate store in DCM using the "Other" type, populate it yourself with the entire list of CAs (via the DCM GUI) and then use the DCM REST API to export all of the CAs from the new certificate store to populate your CA repository that you can use with your client program that will import the CAs across your IBM i servers.

Is there a command line or other batch way of performing "Populate with CAs"?

Paul,

You're right. An SQL service won't need a particular cert by itself.  It is the endpoint URL.  However I HAVE seen IBM issue services which went to endpoint URLs, which failed until you went into "Populate with CAs".

So what you are saying is that developers who try these new services and end up getting some weird SQL.... message need to open a case with IBM to find out that they need to add the new cert?

An IBM SQL Service won't need a specific CA by itself... that is determined by the URL you connect to and I don't consider it IBM's responsible for providing you the CA for it (if you connect to an internal server that is using a local CA you'll need to import it yourself anyway).

Official lists can be found at ccadb.my.salesforce-sites.com/microsoft/IncludedCACertificateReportForMSFT or CA/Included Certificates - MozillaWiki or Available root certificates for Apple operating systems - Apple Support  Which list IBM is using when using the GUI is something I don't know.

I appreciate all these concerns.  However I would still have to log on to DCM, execute Populate with CAs.  I am not going to take the time to individually review each CA.  And how am I supposed to know which CA is needed by some new IBM SQL Service which retrieves info from the internet?

https://ibm-power-systems.ideas.ibm.com/ideas/IBMI-I-4736

There are different Certificate Authority certificate management policies and processes.  However, IBM i Security would suggest the "as-required" principal would apply here.  The intent of the "Populate with CAs" function in DCM was to make it easier for the client to self-populate the well-known public CAs they require as well make it easier for IBM i development to update the "Populate with CAs" list of CAs via IBM i PTFs and not touch your certificate store.  So as IBM i DCM PTFs are applied to your IBM i server, they may include new well-known public CAs under the Populate with CAs list in DCM.  As a result, subsequent "Populate with CAs" executions may result in additional CAs (if selected) being added to your *SYSTEM certificate store.  Do you NEED to re-run the Populate with CAs function after an IBM i PTF apply?  The answer depends.  Yes, if you require the newly PTF-provided CAs to be populated in your *SYSTEM certificate store to resolve a TLS connectivity issue or prepare to be used on a TLS connection.  No, if you don't have a current or an anticipated need to actually use these CAs with a TLS connection and your company implements the "as-needed or as-required" security policy.

In addition, there are also performance considerations directly related to the number of certificates, including Certificate Authorities, that exist in your DCM *SYSTEM certificate store.  The more certificates that exist in the certificate store, the longer it will take to search for and identify the correct certificates for each TLS certificate operation and connection.  In addition, certificate stores with a large amount of certificates need to be considered with scalability and very, very high TLS transactional environments.  As a result, IBM recommends keeping the number of certificates in your certificate stores to a minimum for these security, performance, and scalability reasons.

There is no CL command or external API that can be called to execute the "Populate with CAs" operation outside of the DCM GUI.  However, there are fairly new IBM i DCM REST APIs you can use to manage digital certificates and create your own "Populate with CAs" utility across multiple IBM i endpoints. Alternatively, you could execute your "Populate with CAs" utility to multiple IBM i systems using the ibm.power_ibmi Ansible for i collection.

To obtain the CA certificates in "Populate with CAs", you will need to create a new certificate store in DCM using the "Other" type, populate it yourself with the entire list of CAs (via the DCM GUI) and then use the DCM REST API to export all of the CAs from the new certificate store to populate your CA repository that you can use with your client program that will import the CAs across your IBM i servers.

Is there a command line or other batch way of performing "Populate with CAs"?

An IBM SQL Service won't need a specific CA by itself... that is determined by the URL you connect to and I don't consider it IBM's responsible for providing you the CA for it (if you connect to an internal server that is using a local CA you'll need to import it yourself anyway).

Official lists can be found at ccadb.my.salesforce-sites.com/microsoft/IncludedCACertificateReportForMSFT or CA/Included Certificates - MozillaWiki or Available root certificates for Apple operating systems - Apple Support  Which list IBM is using when using the GUI is something I don't know.

I appreciate all these concerns.  However I would still have to log on to DCM, execute Populate with CAs.  I am not going to take the time to individually review each CA.  And how am I supposed to know which CA is needed by some new IBM SQL Service which retrieves info from the internet?

https://ibm-power-systems.ideas.ibm.com/ideas/IBMI-I-4736

There are different Certificate Authority certificate management policies and processes.  However, IBM i Security would suggest the "as-required" principal would apply here.  The intent of the "Populate with CAs" function in DCM was to make it easier for the client to self-populate the well-known public CAs they require as well make it easier for IBM i development to update the "Populate with CAs" list of CAs via IBM i PTFs and not touch your certificate store.  So as IBM i DCM PTFs are applied to your IBM i server, they may include new well-known public CAs under the Populate with CAs list in DCM.  As a result, subsequent "Populate with CAs" executions may result in additional CAs (if selected) being added to your *SYSTEM certificate store.  Do you NEED to re-run the Populate with CAs function after an IBM i PTF apply?  The answer depends.  Yes, if you require the newly PTF-provided CAs to be populated in your *SYSTEM certificate store to resolve a TLS connectivity issue or prepare to be used on a TLS connection.  No, if you don't have a current or an anticipated need to actually use these CAs with a TLS connection and your company implements the "as-needed or as-required" security policy.

In addition, there are also performance considerations directly related to the number of certificates, including Certificate Authorities, that exist in your DCM *SYSTEM certificate store.  The more certificates that exist in the certificate store, the longer it will take to search for and identify the correct certificates for each TLS certificate operation and connection.  In addition, certificate stores with a large amount of certificates need to be considered with scalability and very, very high TLS transactional environments.  As a result, IBM recommends keeping the number of certificates in your certificate stores to a minimum for these security, performance, and scalability reasons.

There is no CL command or external API that can be called to execute the "Populate with CAs" operation outside of the DCM GUI.  However, there are fairly new IBM i DCM REST APIs you can use to manage digital certificates and create your own "Populate with CAs" utility across multiple IBM i endpoints. Alternatively, you could execute your "Populate with CAs" utility to multiple IBM i systems using the ibm.power_ibmi Ansible for i collection.

To obtain the CA certificates in "Populate with CAs", you will need to create a new certificate store in DCM using the "Other" type, populate it yourself with the entire list of CAs (via the DCM GUI) and then use the DCM REST API to export all of the CAs from the new certificate store to populate your CA repository that you can use with your client program that will import the CAs across your IBM i servers.

Is there a command line or other batch way of performing "Populate with CAs"?